3 Answers
3

Expect it to be compromised. There isn't a good way to do anything other than obfuscate a private key. The best bet is probably to store it in the cryptographic library of the system that the software is running on. If you're lucky it might have a TPM or HSM that can store the key securely. What are you trying to accomplish with the private key? That might help give better feedback on the best way to securely accomplish your goal.

In my case the key is used to decrypt some files, but my question is more global! And no luck there are no HSM or TPM on the system!
–
darkheirFeb 13 '13 at 14:24

1

@darkheir - where are the encrypted files coming from? Are they on the computer permanently? Are they sent from a remote server? Is offline decryption necessary? If possible, the safest bet may be to not store the decryption key on the client, but rather store it on the server and only provide it to the client after completing a challenge with the server. A compromised client could still leak the key in that case, but it would prevent a static analysis without the credentials. (Alternately, storing the private key encrypted with a password that the user has to enter would also do a littl
–
AJ HendersonFeb 13 '13 at 14:27

Sadly the encrypted file is coming from the same system and it has to be working offline! I'll investigate the idea of cryptographic library, it seems that microsoft has a key storage architecture, could be interesting.
–
darkheirFeb 13 '13 at 14:30

1

@Darkheir - if it is coming from the same system, why use a private key as opposed to a symmetric one? Also, does it need to protect against the legitimate user accessing the protected data or just against attackers trying to access the user's data?
–
AJ HendersonFeb 13 '13 at 14:37

Only one program as to be able to read datas send by multiple other programs so asymetric encryption seems to me the way to go. For the key the best would be that only the program can access the private key, it's better if even the legitimate user can't access it.
–
darkheirFeb 13 '13 at 14:46

There is no 100% reliable way to hide a secret of any type, be it a RSA private key or any other kind of object, within an application in such a way that it would resist reverse engineering. All those who have tried, have failed. There are good theoretical reasons why it should not be possible: namely, at some point, the CPU will use the secret value and thus have it under its fingers; by running the code in an emulator, attackers can obtain it as well.

(The emulator is the just-drop-a-nuke-on-it kind of solution; it works and is sufficient to demonstrate impossibility of protection, but attackers invariably use a bit more brain in their reverse engineering.)

The best you can have is user-specific secrets, so that, at least, you can manage things server side by shutting down access for offenders (if an access-granting key is compromised, simply inform the server that this specific key shall no longer be accepted). This is what is done in satellite TV: the signal is broadcasted, with encryption with a key K (which changes every few minutes), and the key K is itself encrypted with the secret key which is in the receiver smart card; each receiver has its own smart card. When a card appears to be massively cloned (breaking a card is expensive, but once it is broken, making 3000 copies is cheap), the TV distributor just stops to distribute the version of K encrypted with the key which is in the compromised card, thus effectively blocking access for all copies.

While there is no 100% reliable way, using an HSM provides good protection against many attacks like emulators or other forms of tampering. HSM are designed to be true black-boxes, so unless you are a government that can deal with vacuum chambers or magnetic traps, HSM are pretty safe. Normally if somebody use HSM, the attack shifts from getting the key to breaking into the HSM, which requires online access.
–
fernacoloJan 2 at 21:25

Whilst the system you are using doesn't currently have a Hardware Security Module (HSM) in it, you can buy them separately (e.g. as add-in cards, smart cards or separate boxes). Depending on your situation (value of key, exposure, etc), this might be worthwhile.

Correct use of an HSM will ensure that even the application cannot directly access the private key. This moves the problem on to protecting (ab)use of the services offered by the HSM (e.g. decrypting files), where you are assisted by whatever authentication options the HSM provides.